March 2019 RubyGems Security Advisories

Updated 7th June.

Various vulnerabilities have been discovered in older RubyGems versions and it is recommended to upgrade to version 2.7.9 or a patched version of 2.6.x. Please see this RubyGems blog post for further information regarding the vulnerabilities themselves.

Current Solution

The 6th June Platform Release provides official fixes for these advisories and also makes changes to how the RubyGems installation is handled by the platform for certain stack and Ruby combinations.

  • For the new Engine Yard Ubuntu 19.05 (stable-v6) stack RubyGems is now provided by the Ruby installation.
  • For the Engine Yard Gentoo 16.06 (stable-v5) stack the latest RubyGems 2.7.9 and patched 2.6.14 versions have now been made available for selection on the Create and Edit Environment pages for environments running Ruby 2.3+. If upgrading to 2.7.x we advise pairing the upgrade with Stack Release stable-v5-3.0.58, as this contains a cookbook update in order to remove the version of Bundler packaged with RubyGems 2.7.x, which is some cases can clash and cause issues with deploys.
  • For environments running Ruby 2.4+ on stable-v5 we have also added a new 'built-in' option, which installs the RubyGems version matching the Ruby version as defined by the platform. This version will be dynamically updated as required for any future security advisories via Stack Upgrades, and so removes the necessity for you to manually alter the RubyGems version in use. If you require a non-standard version please use the Previous Solution detailed below.
  • For environments running Ruby 2.0, 2.1 or 2.2 on stable-v5 no changes have been made and the issue should be resolved using the Previous Solution detailed below.
  • For the Engine Yard Gentoo 12.11 (stable-v4) stack no changes have been made and the issue should be resolved using the Previous Solution detailed below.

Previous Solution

Engine Yard Gentoo 12.11 (stable-v4)

Make use of this custom chef recipe:

Please refer to this KnowledgeBase article if you need help in getting started with V4 custom chef recipes.

Engine Yard Gentoo 16.06 (stable-v5)

Add this block to the end of cookbooks/ey-custom/recipes/after-main.rb, updating the version as required:

execute "Update to rubygems 2.7.9" do
  command "gem install -v 2.7.9 rubygems-update && update_rubygems"
execute "Remove bundler installed by rubygems" do
command "rm -rf /usr/lib64/ruby/site_ruby/*/bundler{,.rb} && rm -f /usr/local/lib64/ruby/gems/*/specifications/default/bundler*gemspec"

Please refer to if you need help in getting started with V5 custom chef recipes.


Please test this upgrade on a staging or clone environment before upgrading production. To test, after upgrading RubyGems run an rm -rf /data/_app_/shared/bundled_gems then deploy your application. Also check the bundle command on the instance. To do this SSH to the instance as the deploy user and issue a bundle command, for example: cd /data/_app_/current && bundle exec gem list.

One issue we have seen at this time is related to the use of Bundler 2 to bundle gems on development systems. If you see issues please check that BUNDLED WITH in your Gemfile.lock file states a version lower than 2, and downgrade your local Bundler version if required.

Update 7th June: Our latest engineyard-serverside deployment helper version, 2.6.17, now detects the Bundler version used locally via the BUNDLED WITH in your Gemfile.lock file and installs this version on your EY instances. This is now compatible with Bundler 2. If you deploy via the EY Cloud Dashboard you will automatically use this version of engineyard-serverside, if you deploy via the CLI please install the latest version of the engineyard gem to utilise this serverside version.

Should you require assistance with any issues please contact Engine Yard Support.



Article is closed for comments.

Powered by Zendesk